Outscale Key Management Service (OKMS) allows you to manage and fully control your encryption keys.

You can use OKMS to encrypt and decrypt sensitive data for use with 3DS OUTSCALE services and for your own development needs in your applications.

This service is available in beta, in the eu-west-2 Region only.

The following topics are discussed: 

Customer Master Keys

Customer Master Keys (CMKs) are the main logical resources of OKMS. Each 3DS OUTSCALE account has a default CMK, which cannot be deleted. You can create additional CMKs. By default, your account has a quota of 20 CMKs.

CMKs are stored in Gemalto Hardware Security Modules (HSMs), which are specially secured hardware compliant with the FIPS 140-2 Level 3 standard. For maximum security, a CMK never leaves its HSM.

You can use a CMK to encrypt and decrypt up to 4096 bytes of data at a time.

Encryption/decryption with OKMS


Data Keys and Customer Master Keys

Data keys are random cryptographic materials that you can generate from a CMK. Unlike CMKs, data keys are not stored by OKMS.

You can use data keys to encrypt and decrypt large amounts of data using your own local encryption tools, such as OpenSSL. This practice of encrypting data using a data key, which is in turn encrypted by a CMK, is known as envelope encryption.

Envelope encryption/decryption with OKMS

The API calls related to data keys are designed to provide you a safe way to encrypt and decrypt data without ever having to store the decrypted version of the data key outside of the volatile memory of your machine.

Ensure you store the encrypted data key on persistent storage to be able to re-access your data later on. On the other hand, each time you decrypt a data key, ensure you immediately clear the decrypted data key from your volatile memory to avoid compromising your data.

For more information on OKMS API calls, see the link in the Corresponding API Methods panel.


Encryption Contexts

When encrypting data using a CMK or when generating a data key using a CMK, you can specify one or more encryption contexts. Encryption contexts are optional key-value pairs of arbitrary text that you can add to the cryptographic operation.

To decrypt data or a data key that was encrypted with encryption contexts, you must specify the same encryption contexts, or the decryption will fail.

Ensure you store your encryption contexts on persistent storage to be able to re-access your data later on. By themselves, encryption contexts are not secret and can be safely stored in plaintext.

Corresponding API Methods